When Edward Snowden leaked a veritable treasure-trove of documents to Guardian journalists Glenn Greenwald and Laura Poitras, nobody could have predicted the impact his revelations would have had upon the world. In particular, the Snowden revelations had a profound and significant effect on the crypto world for two important reasons.
Firstly, for the first time ever, there was a general awareness of the depths of government surveillance of the Internet, especially by the British and American security services. The aftermath of this was that consumers in ever greater numbers started looking towards encryption to protect their privacy.
The second was the catastrophic loss of public faith in proprietary, corporate encryption packages. This was largely a product of the discovery that RSA had been paid $10,000,000 by the American National Security Agency to compromise their flagship encryption software.
These two factors have resulted in a phenomenal surge of interest in open source encryption, both by consumers and power-users.
The problem is that encrypting messages has never been especially straightforward. The science behind secure encryption is ridiculously complicated, and most encryption packages aren’t especially user-friendly. As a result, they’ve not really penetrated the consumer sphere in any meaningful way.
Until now. Meet Keybase.io.
So, What’s This Keybase Thing Then?
Founded by Max Krohn and Chris Coyne, who previously founded OK Cupid, Sparknotes and TheSpark, it’s presently only available in a private alpha. It markets itself as “a public directory of publicly auditable public keys. All paired, for convenience, with unique usernames”.
Built upon the venerable and battle-hardened GNU Privacy Guard, Keybase allows users to easily encrypt, decrypt and share messages within a tried-and-tested encryption standard. Furthermore, all public keys are tied to user accounts on the Keybase websites, in addition to Twitter and Github accounts.
Messages can be encrypted through a relatively intuitive Node.js based command-line application, or through the Keybase website. How does it work? Well, a bit like this.
First, you need to track the user you’re messaging. Here, I’m tracking MakeUseOf’s Android editor, Erez Zukerman. Hi Erez!
Then open up a terminal window, and type the following.
keybase encrypt ezuk -s -m ‘Hey Erez! Keybase is pretty cool, eh?’
So, what does the ‘-s’ and ‘-m’ flags do? Simply put, ‘-s’ means that you’re ‘signing’ your message, adding an extra layer of authentication to show that you were the original sender. ‘-m’ means that everything that follows will be the message I send to Erez.
I then copy the output into an email, which I then shoot off to Erez, where he’ll then decrypt it using the following command.
keybase decrypt -m “message”
But You Mentioned A Website?
I’ve banged on heavily about the Keybase command-line application, which I think is an impressive, polished product. But I also mentioned that it’s also possible to use the Keybase website to encrypt and decrypt messages.
This first requires that you upload your private key to their servers. This is the key which is unique to you, and allows you to encrypt and decrypt messages. As the name implies, this is something which you need to keep absolutely, 100% secret.
If your private key is leaked, it then becomes possible to decode any messages you have previously encrypted. Keybase has made assurances to users that any private keys stored on their servers are kept in a secure fashion. Despite that, I’m not happy that Keybase are asking their users to surrender their private keys in the first place. Erez Zukerman has some thoughts on the matter:
@matthewhughes Just got my Keybase account. Looks nice, but I really hope you didn't upload your private key, "client-side crypto" or not!
— Erez Zukerman (@the_ezuk) March 8, 2014
@matthewhughes And I can't say I think it's great that they encourage people to upload their private keys – no crypto service should ask you
— Erez Zukerman (@the_ezuk) March 8, 2014
Whilst I don’t doubt the competence of the team behind Keybase, I wonder what would happen if they were subpoenaed for the private keys which have been submitted by their users. I’m concerned about what would happen if they experienced a major security breech. As a result, there’s no way I can recommend that you use the Keybase web application in good conscience.
I predict that Keybase will find themselves facing a mountain of challenges in months to come. These will range from protecting users against government intrusion, to further simplifying their platform to a point where encryption becomes accessible without demanding that users provide their private keys.
Despite that, in its present inception Keybase is a solid product, and one I recommend wholeheartedly. I’m pretty enamored with the command-line application, which is easy to install, easy to use and doesn’t require the user to provide their all-important private keys.
But what do you think? Drop me a comment below and let me know what you think.